Government toughens up online privacy rules for kids’ websites

Apps aimed at kids need to limit data gathering or face legal action.

There is currently no federal online privacy law, which makes it essentially impossible for government agencies like the Federal Trade Commission to go after Internet companies unless they violate their own published privacy policies.

One area where that's not true is when it comes to kids. When dealing with children under 13 years old, online service companies can't collect personal information (like e-mail addresses) without explicit permission from a parent or guardian. The FTC can prosecute companies that gather kids' data without parental consent. The commission has used that power, too, against both small developers and big companies like Sony.

Technology, and the terms used to regulate it, change over time. The Children's Online Privacy Protection Act (or COPPA) was passed in 1998, and since then it has become unclear exactly what is or isn't allowed. A new set of rules published by the FTC today doesn't change existing law, but it should lend more clarity to enforcing privacy protection for kids in the changing tech world, especially when dealing with location technologies and mobile apps.

Specifically, the new rules:

Make clear that the "personal information" that can't be collected without parental consent includes geolocation information, photographs, and videos

Make clear that third parties (like advertising networks) must also comply with COPPA

Close a loophole that allowed kids' information to be collected via plug-ins without parental notice

Clarify that "persistent identifiers" are also protected information, like IP addresses and mobile device IDs

Require that websites aimed at kids have "reasonable procedures" for data retention and deletion

The new rules are needed in order to stop behavioral marketers from building "massive profiles" of children using identifiers like mobile device IDs. "Some companies, especially ad networks, have an insatiable appetite for information, even from kids," said Leibowitz.

Leeway will be given to sites or apps that aren't explicitly aimed at kids.

The new rules won't hurt online business, including businesses based on advertising, he said. Ads that aren't "behavioral," or targeted using user data, won't be affected.

"Under this rule, advertisers and ad networks can continue to advertise even on sites directed to children," said Leibowitz. "Business models that depend on advertising will continue to thrive. The only limits are on behavioral advertising."

One of the proponents of the new rules, Sen. John Rockefeller (D-WV), said he would like to go further and pass federal legislation making sure the "Do Not Track" options now installed on Web browsers have some actual legal teeth to them. But the political reality is that he can't do that right now because of opposition from the business community.

"I'd like to see a Do Not Track bill passed this afternoon, but we can't do that," said Rockefeller. "So we've got to build towards it." He continues to be "baffled" by opposition from the Chamber of Commerce, he said. "It's very depressing."

This is ridiculously unenforceable and arbitrary. Is Nintendo a site that is targeted at children?

Heck, how many websites -are- specifically directed at children?

Good question. There's a lot of debate about that - after all, it affects how we use the Wii and other Nintendo consoles. Nintendo is seen as a "videogames for children" so there's some aspect to that (and why we can't have )(@&#)& online accounts to link our purchases to).

Of course, I guess Nintendo aims to play it safe and assume they're child-oriented...

This is ridiculously unenforceable and arbitrary. Is Nintendo a site that is targeted at children?

Heck, how many websites -are- specifically directed at children?

Disney, Nickelodeon, ABCMouse...

But, looking at how they're talking about it on the mainstream news, this looks mostly targeted at games.

There are some. The problem is those are really the only ones I can think of, which I would imagine means they're the only ones most kids can think of - basically websites for kid's TV shows, and the companies that produce that sort of thing.

But then you run into weird cases like Nintendo's website, which honestly doesn't look like a site for kids to me, but I can easily see lots of kids going there. You've got Super Mario Bros Wii U advertised right next to Ninja Gaiden on the website. Even Disney's website has buttons for how to plan a trip to Disney World right on there next to a picture of a kid in a costume.

Unfortunately, this very bad qualification will make it even more difficult for the little guy to compete. Very bad.

Let me also add that this "Sen. John Rockefeller" is potentially an idiot. Many sites that can't use cookies or IPs to track users will be unable to work if they are turned off or are not allowed to be used -- and people are stupid. Sure, we could prevent cross-site cookie tracking via legislation, but is that what he is really after? In general, government is doing a very poor job of understanding and adapting to technology.

If the government really cared about privacy there would have been already some advances on media sites cooking and phishing its users.

Media sites cooking their users? Is this a reference to Swift's "modest proposal" or a term for data-mining or setting them up for phishing or ...?

abhi_beckert wrote:

I wish they would just enforce all these rules (except for parental consent of course) for all websites, regardless of whether they're targeted at children.

While the intent in this idea may be noble, the potential harm if this sort of thing goes too far is forced identification of all users online. Logically that would be the only way to distinguish adults from children with much reliability, and it would be serious diminution of civil liberties.

The regs the story is about appear directed at only child-oriented sites, so this is fine for now. Other web legislation (CDA? if I recall correctly) have been judicially limited because of the implications for adult freedom online.

If a government decides that website owners cannot collect personal data on children, why stop there? Everyone on the Internet should be allowed to operate anonymously if desired. If the idea is to prevent websites geared to children to prevent them from opening popup forms requesting personal information, that should be extended to ALL websites. How in blazes is the government going to know who is connecting and how old they are without violating every ethical or moral standard of behavior? How is any government going to enforce a "no child data collection by website" statute without collecting information itself violating the statute?

The net result is that no one will have any privacy left at all, either on the Internet or in spite of the Internet.